Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Is this the live query interface, or scheduled queries?

I tried `SELECT * FROM file_events LIMIT 10` and `SELECT * FROM process_events LIMIT 10`

`file_events` requires that you configure the watch paths. Did you do that?

I have not... I'll look into that. Still, I believe process_events should work without any additional config

I believe the `process_events` needs additional configuration (outside of osquery) as well. See <https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-auditing>

Some that do not need additional config are `disk_events` (try opening a dmg) or `hardware_events` (plug any usb device)

Still no luck on `process_events`, even after modifying the audit config and a reboot

Now testing with `osqueryi` if that matters at all

For any of those event types? What does your config look like?